cybersecurity on a mobile phone

Written Information Security Plans (WISPs) are critical documents for organizations looking to protect their sensitive information against potential cyber threats. A well-developed WISP outlines a company's security policies, procedures, and controls to maintain regulatory compliance and mitigate security risks. Here's what you need to know about creating an effective WISP.

History of WISPs

WISPs are a product of the growing need for cybersecurity measures in response to the increasing amount of sensitive information stored and processed electronically. In 1996, the Health Insurance Portability and Accountability Act (HIPAA) set the standard for developing WISPs by requiring all covered entities to implement security policies and procedures. Since then, many other industries have followed suit and developed their own WISPs to maintain compliance with various regulations.

Sections of a WISP

A comprehensive WISP should include the following sections:

1. Introduction

The introduction provides an overview of the WISP and its purpose. It should also specify the types of sensitive information that the plan is designed to protect.

2. Risk Assessment

A risk assessment is a crucial component of any WISP. It identifies potential security threats and assesses their likelihood and potential impact. This section should include a detailed analysis of the risks faced by the organization.

3. Security Policies and Procedures

This section establishes the specific policies and procedures that the company will implement to protect sensitive information. The policies and procedures should be tailored to the organization's unique needs and risks. This section should include the following controls:

Access Control

Access controls ensure that only authorized personnel have access to sensitive information. This may include password policies, two-factor authentication, and biometric authentication.

Network Security

Network security measures protect against unauthorized access and data breaches. This may include firewalls, intrusion detection systems, and penetration testing.

Data Protection

Data protection controls safeguard against unauthorized access, modification, and deletion of sensitive information. This may include encryption, backup and recovery procedures, and data retention policies.

4. Roles and Responsibilities

This section identifies the individuals or departments responsible for implementing and enforcing the security policies and procedures outlined in the WISP. It should clearly define roles and responsibilities, including those of upper management.

5. Technical Controls

This section describes the technical controls that the company will implement to protect sensitive information. This may include firewalls, encryption, access controls, and other security technologies.

Here is a list of technical controls:

  1. Access Controls: This refers to the processes and technologies that are put in place to ensure that only authorized users have access to sensitive data or systems. Examples of access controls include password policies, two-factor authentication, and role-based access control.
  2. Network Security: This includes the use of firewalls, intrusion detection/prevention systems, and other network security technologies to protect against unauthorized access, data loss, and other security threats.
  3. Endpoint Security: This involves the use of antivirus software, encryption, and other technologies to protect individual devices (such as laptops and smartphones) from security threats.
  4. Data Backup and Recovery: This involves the regular backup of critical data to ensure that it can be restored in the event of a security breach or other data loss event.
  5. Security Monitoring and Incident Response: This involves the use of security monitoring tools and procedures to identify security incidents and respond to them quickly and effectively.
  6. Security Awareness and Training: This refers to the education and training provided to employees to ensure that they are aware of security threats and know how to respond to them.

6. Administrative Controls

This section describes the administrative controls that the company will implement to protect sensitive information. This may include security training for employees, background checks for personnel with access to sensitive information, and regular security audits.

Here is a list of administrative controls:

  1. Security Policies and Procedures: This involves the creation and implementation of policies and procedures that outline how sensitive data and systems should be secured and how employees should behave to ensure their security. These policies can include acceptable use policies, data retention policies, and incident response procedures.
  2. Risk Assessments: This involves regular assessments of security risks to identify potential threats and vulnerabilities to sensitive data and systems.
  3. Employee Screening and Training: This includes background checks for new employees and regular security training for all employees to ensure they are aware of security threats and know how to respond to them.
  4. Physical Security: This includes measures such as security cameras, access control systems, and security guards to protect physical locations where sensitive data and systems are stored.
  5. Vendor Management: This involves assessing and managing the security risks associated with third-party vendors that have access to sensitive data or systems.
  6. Compliance Management: This involves ensuring that the organization is compliant with all relevant regulatory requirements and industry standards for information security.

7. Incident Response

This section establishes the procedures for responding to security incidents, including how to report incidents, who to notify, and how to recover from the incident.

8. Business Continuity

This section describes how the company will maintain business operations in the event of a security incident or disaster. This may include backup and recovery procedures, redundancy planning, and other measures to ensure continuity of operations.

9. Review and Update

This section establishes a schedule for regularly reviewing and updating the WISP to ensure that it remains relevant and effective.

Cleared Systems offers consulting and support services to help organizations develop and implement effective WISPs. Our team of experts can conduct a thorough risk assessment, develop policies and procedures tailored to your organization's unique needs, and provide ongoing support to maintain compliance and mitigate security risks. Contact us today to learn more about our WISP consulting and support services.

Ways We Can Help You

Contact us to receive assistance in navigating cybersecurity risks and information compliance for your company. Here are some additional ways we can help:

  • Schedule a free discovery session with us during which we can learn about your company, answer your questions, and assist you in determining if Cleared Systems is the right fit for you.

  • Register for our upcoming cybersecurity and information compliance training.

  • Purchase our books on CMMC 2.0, CUI, Data Breaches, and ITAR.

  • Join our weekly free webinar sessions to ask questions and learn about the latest developments in cybersecurity and information compliance.

Author Profile

Carl B. Johnson, President of Cleared Systems, is a highly experienced and a ITAR, CMMC 2.0, Microsoft GCC High, and Microsoft DLP/AIP consultant. With over twenty years of experience in information assurance, cybersecurity, policy development, risk management, and regulatory compliance, he brings a wealth of knowledge and expertise to his clients.

Leave a Reply

Your email address will not be published. Required fields are marked *


Have questions about compliance or cybersecurity?

Schedule a free call with our experts now and get your questions answered!